New Court of Appeal Judgment on handling of DNA materials by the police

Posted on | by Rupert Paines

The question of what uses can properly be made of DNA data held by the police is an acutely sensitive one. In X and Commissioner of the Police of the Metropolis and anor v Z (Children) and anor[2015] EWCA Civ 34, the Court of Appeal has held that, where such data is obtained by police in exercise of their search and seizure powers under Part II of PACE 1984, it may be retained and used only for the purposes of criminal law enforcement function. Thus, such data cannot be used, for example, in order to resolve issues of paternity in care proceedings before the family court.

The background to the appeal was that X had murdered his partner Y. In the context of care proceedings involving Y’s children, an issue had arisen as to whether X was in fact the biological father of the children. X, despite asserting that he was the children’s biological father, had refused to undergo DNA testing. In response to this refusal, the children’s guardian applied to the court for disclosure of certain DNA profiles held by the Metropolitan Police Service, particularly on the basis that those profiles could then be used to resolve the paternity issue. X objected to the disclosure. Importantly, the DNA profiles in issue had been derived from blood swabs taken by the police from the scene of the murder by the MPS under Part II PACE. It was common ground that the court could not order disclosure of those DNA profiles held by the police in exercise of their powers under Part V PACE (samples taken directly from persons). This was because there is a statutory prohibition contained in Part V of PACE which expressly prohibited the use of such materials other than for the purposes of criminal law enforcement. Munby P, who decided the case at first instance, concluded that the court had a discretion to order disclosure of the Part II DNA profiles and that the disclosure was justified, particularly in view of the Article 8 rights of the children. The MPS appealed, alongside the putative father. The Secretary of State appeared as intervenor.

The Court of Appeal allowed the appeal. It did so on the basis that the President’s approach could not be reconciled with the statutory scheme embodied in PACE, particularly when that scheme was read in a purposive manner and having regard to the Article 8 rights of those individuals whose DNA profiles were held by the police. In reaching this conclusion, the Court relied heavily on the judgment of the European Court of Human Rights in Marper, which itself highlighted the need for substantial controls around the handling of DNA data by the police.

Anya Proops and Sean Aughey acted for the MPS.

Rupert Paines

Googling Orgies – Thrashing out the Liability of Search Engines

Posted on | by Christopher Knight

Back in 2008, the late lamented News of the World published an article under the headline “F1 boss has sick Nazi orgy with 5 hookers”. It had obtained footage of an orgy involving Max Mosley and five ladies of dubious virtue, all of whom were undoubtedly (despite the News of the World having blocked out their faces) not Mrs Mosley. The breach of privacy proceedings before Eady J (Mosley v News Group Newspapers Ltd [2008] EWHC 687 (QB)) established that the ‘Nazi’ allegation was unfounded and unfair, that the footage was filmed by a camera secreted in “such clothing as [one of the prostitutes] was wearing” (at [5]), and also the more genteel fact that even S&M ‘prison-themed’ orgies stop for a tea break (at [4]), rather like a pleasant afternoon’s cricket, but with a rather different thwack of willow on leather.

Since that time, Mr Mosley’s desire to protect his privacy and allow the public to forget his penchant for themed tea breaks has led him to bring or fund ever more litigation, whilst simultaneously managing to remind as many people as possible of the original incident. His latest trip to the High Court concerns the inevitable fact of the internet age that the photographs and footage obtained and published by the News of the World remain readily available for those in possession of a keyboard and a strong enough constitution. They may not be on a scale of popularity as last year’s iCloud hacks, but they can be found.

Alighting upon the ruling of the CJEU in Google Spain that a search engine is a data controller for the purposes of the Data Protection Directive (95/46/EC) (on which see the analysis here), Mr Mosley claimed that Google was obliged, under section 10 of the Data Protection Act 1998, to prevent processing of his personal data where he served a notice requesting it to do so, in particular by not blocking access to the images and footage which constitute his personal data. He also alleged misuse of private information. Google denied both claims and sought to strike them out. The misuse of private information claim being (or soon to be) withdrawn, Mitting J declined to strike out the DPA claim: Mosley v Google Inc [2015] EWHC 59 (QB). He has, however, stayed the claim for damages under section 13 pending the Court of Appeal’s decision in Vidal-Hall v Google (on which see the analysis here).

Google ran a cunning defence to what, post-Google Spain, might be said to be a strong claim on the part of a data subject. It relied on Directive 2000/31/EC, the E-Commerce Directive. Article 13 protects internet service providers from liability for the cached storage of information, providing they do not modify the information. Mitting J was content to find that by storing the images as thumbnails, Google was not thereby modifying the information in any relevant sense: at [41]. Article 15 of the E-Commerce Directive also prohibits the imposition of a general obligation on internet service providers to monitor the information they transmit or store.

The problem for Mitting J was how to resolve the interaction between the E-Commerce Directive and the Data Protection Directive; the latter of which gives a data subject rights which apparently extend to cached information held by internet service providers which the former of which apparently absolves them of legal responsibility for. It was pointed out that recital (14) and article 1.5(b) of the E-Commerce Directive appeared to make that instrument subject to the Data Protection Directive. It was also noted that Google’s argument did not sit very comfortably with the judgment (or at least the effect of the judgment) of the CJEU in Google Spain.

Mitting J indicated that there were only two possible answers: either the Data Protection Directive formed a comprehensive code, or the two must be read in harmony and given full effect to: at [45]. His “provisional preference is for the second one”: at [46]. Unfortunately, the judgment does not then go on to consider why that is so, or more importantly, how both Directives can be read in harmony and given full effect to. Of course, on a strike out application provisional views are inevitable, but it leaves rather a lot of legal work for the trial judge, and one might think that it would be difficult to resolve the interaction without a reference to the CJEU. What, for example, is the point of absolving Google of liability for cached information if that does not apply to any personal data claims, which will be a good way of re-framing libel/privacy claims to get around Article 13?

The Court also doubted that Google’s technology really meant that it would have to engage in active monitoring, contrary to Article 15, because they may be able to do so without “disproportionate effort or expense”: at [54]. That too was something for the trial judge to consider.

So, while the judgment of Mitting J is an interesting interlude in the ongoing Mosley litigation saga, the final word certainly awaits a full trial (and/or any appeal by Google), and possibly a reference. All the judgment decides is that Mr Mosley’s claim is not so hopeless it should not go to trial. Headlines reading ‘Google Takes a Beating (with a break for tea)’ would be premature. But the indications given by Mitting J are not favourable to Google, and it may well be that the footage of Mr Mosley will not be long for the internet.

Christopher Knight

Information Law Conference 2015

Posted on | by Panopticon Blog

Join us at 11KBW’s Annual Information Law Conference on 19th March 2015.  As well as providing an over-view of the key developments in the field of information law, the conference will cover a range of topical issues including: whether the law governing State surveillance is fit for purpose, the relationship between data protection and the media and whether, at 10 years old, FOIA should be seen a boon to or a burden on society. Keynote speaker to be confirmed.

Click here to download the Information Conference Programme.

Venue and Booking information

Venue The Royal College of Surgeons of England, 35 – 43 Lincoln Inn Fields, London WC2A 3PE

Cost £99 + VAT (20%) = £118.80 to attend half day plus lunch; £150 + VAT (20%) = £180.00 to attend full day

EARLY BIRD DISCOUNT – 10% off if you book before 27th February 2015 on both half and full day places.

To Book To book your place on this conference please email RSVP@11kbw.com stating if you would to attend full or half day, the delegate name, firm, email address and any purchase order details you may require. You will be then sent a confirmation email of your place and invoiced. We do not have the facilities to accept payments by credit or debit cards.

CPD accredited with SRA and BSB: 4.5 hours

Data protection: three developments to watch

Posted on | by Robin Hopkins

Panopticon likes data protection, and it likes to keep its eye on things. Here are three key developments in the evolution of data protection law which, in Panopticon’s eyes, are particularly worth watching.

The right to be forgotten: battle lines drawn

First, the major data protection development of 2014 was the CJEU’s ‘right to be forgotten’ judgment in the Google Spain case. Late last year, we received detailed guidance from the EU’s authoritative Article 29 Working Party on how that judgment should be implemented: see here.

In the view of many commentators, the Google Spain judgment was imbalanced. It gave privacy rights (in their data protection guise) undue dominance over other rights, such as rights to freedom of expression. It was clear, however, that not all requests to be ‘forgotten’ would be complied with (as envisaged by the IC, Chris Graham, in an interview last summer) and that complaints would ensue.

Step up Max Moseley. The BBC reported yesterday that he has commenced High Court litigation against Google. He wants certain infamous photographs from his past to be made entirely unavailable through Google. Google says it will remove specified URLs, but won’t act so as to ensure that those photographs are entirely unobtainable through Google. According to the BBC article, this is principally because Mr Moseley no longer has a reasonable expectation of privacy with respect to those photographs.

The case has the potential to be a very interesting test of the boundaries of privacy rights under the DPA in a post-Google Spain world.

Damages under the DPA

Second, staying with Google, the Court of Appeal will continue its consideration of the appeal in Vidal-Hall and Others v Google Inc [2014] EWHC 13 (QB) in February. The case is about objections against personal data gathered through Apple’s Safari browser. Among the important issues raised by this case is whether, in order to be awarded compensation for a DPA breach, one has to establish financial loss (as has commonly been assumed). If the answer is no, this could potentially lead to a surge in DPA litigation.

The General Data Protection Regulation: where are we?

I did a blog post last January with this title. A year on, the answer still seems to be that we are some way off agreement on what the new data protection law will be.

The latest text of the draft Regulation is available here – with thanks to Chris Pounder at Amberhawk. As Chris notes in this blog post, the remaining disagreements about the final text are legion.

Also, Jan Philipp Albrecht, the vice-chairman of the Parliament’s civil liberties committee, has reportedly suggested that the process of reaching agreement may even drag on into 2016.

Perhaps I will do another blog post in January 2016 asking the same ‘where are we?’ question.

Robin Hopkins @hopkinsrobin

How to apply the DPA

Posted on | by Robin Hopkins

Section 40 of FOIA is where the Freedom of Information Act (mantra: disclose, please) intersects with the Data Protection Act 1998 (mantra: be careful how you process/disclose, please).

When it comes to requests for the disclosure of personal data under FOIA, the DPA condition most commonly relied upon to justify showing the world the personal data of a living individual is condition 6(1) from Schedule 2:

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

That condition has multiple elements. What do they mean, and how do they mesh together? In Goldsmith International Business School v IC and Home Office (GIA/1643/2014), the Upper Tribunal (Judge Wikeley) has given its view. See here Goldsmiths. This comes in the form of its endorsement of the following 8 propositions (submitted by the ICO, represented by 11KBW’s Chris Knight).

Proposition 1: Condition 6(1) of Schedule 2 to the DPA requires three questions to be asked:

(i) Is the data controller or the third party or parties to whom the data are disclosed pursuing a legitimate interest or interests?

(ii) Is the processing involved necessary for the purposes of those interests?

(iii) Is the processing unwarranted in this case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?

Proposition 2: The test of “necessity” under stage (ii) must be met before the balancing test under stage (iii) is applied.

Proposition 3: “Necessity” carries its ordinary English meaning, being more than desirable but less than indispensable or absolute necessity.

Proposition 4: Accordingly the test is one of “reasonable necessity”, reflecting the European jurisprudence on proportionality, although this may not add much to the ordinary English meaning of the term.

Proposition 5: The test of reasonable necessity itself involves the consideration of alternative measures, and so “a measure would not be necessary if the legitimate aim could be achieved by something less”; accordingly, the measure must be the “least restrictive” means of achieving the legitimate aim in question.

Proposition 6: Where no Article 8 privacy rights are in issue, the question posed under Proposition 1 can be resolved at the necessity stage, i.e. at stage (ii) of the three-part test.

Proposition 7: Where Article 8 privacy rights are in issue, the question posed under Proposition 1 can only be resolved after considering the excessive interference question posted by stage (iii).

The UT also added this proposition 8, confirming that the oft-cited cases on condition 6(1) were consistent with each other (proposition 8: The Supreme Court in South Lanarkshire did not purport to suggest a test which is any different to that adopted by the Information Tribunal in Corporate Officer).

Those who are called upon to apply condition 6(1) will no doubt take helpful practical guidance from that checklist of propositions.

Robin Hopkins @hopkinsrobin

Happy birthday FOIA: orthodoxy and liberalism

Posted on | by Robin Hopkins

With FOIA celebrating its tenth birthday this month, it is striking that one of its most taken-for-granted axioms has been called into question. The axiom is this: the relevant time is the time of the request, extending perhaps until the statutory time for compliance with the request. When you are assessing the public interest balance and the engagement of exemptions, that is the time you look to; you ignore later developments.

In Defra v IC and the Badger Trust (GI/79/2014), the requester (the Badger Trust) had requested information about Defra’s risk assessments for the proposed badger culling programme. The ICO ordered disclosure. Defra appealed. The case was transferred to the Upper Tribunal due to a witness anonymity issue. The Upper Tribunal dismissed Defra’s appeal. It was not persuaded by Defra’s evidence as to the public interest balance. The judgment is here DEFRA v ICO and Badger Trust – Judgment on Public Interest.

In its judgment, the UT pondered the question of the relevant time. It declined to rule, but stated that it considered this question to be an open one: see paragraphs 44-48. A central tenet of FOIA/EIR orthodoxy over the past decade has been called into question.

Another recent UT judgment is worthy of note as FOIA turns ten. It does not introduce uncertainty, but rather – from the point of view of FOIA’s fans – provides a heartening affirmation of the purpose of the legislation. The case is UCAS v IC and Lord Lucas [2014] UKUT 0557 (AAC): see here UCAS. It was about the extent to which FOIA applied to UCAS. The point I draw out here is this one, at paragraph 39 of the decision of Judge Wikeley:

“I agree with Mr Knight that the starting point in this exercise in statutory interpretation must be the principle that FOIA is a constitutionally important piece of legislation, the scope of which must be interpreted broadly. This much is plain from Sugar (No. 2) itself (see Lord Walker at [76] and Lord Mance at [110]), as well as from other decisions of the House of Lords and Supreme Court (see Common Services Agency v Scottish Information Commissioner [2008] UKHL 47 at [4] per Lord Hope and Kennedy v Charity Commission [2014] UKSC 20 at [153] per Lord Sumption). This emphasis on a liberal construction is, to borrow a phrase from a different context of statutory interpretation, the golden thread which runs through the FOIA case law, whether in the rarefied atmosphere of the Supreme Court or on the judicial shop floor at the First-tier Tribunal.”

So then, happy birthday FOIA. Some of the assumptions of your youth may be in question, but your golden thread is strong. Somebody put that in a greeting card, please.

I appeared in the Badger Trust case. Chris Knight appeared in the UCAS case.

Robin Hopkins @hopkinsrobin